How to Secure a FTP Server Using SSL/TLS for Secure File Transfer in CentOS 7

By its original design, FTP (File Transfer Protocol) is not secure, meaning it doesn’t encrypt data being transmitted between two machines, along with user’s credentials. This poses a massive threat to data as well as server security.

In this tutorial, we will explain how to manually enable data encryption services in a FTP server in CentOS/RHEL 7 and Fedora; we will go through various steps of securing VSFTPD (Very Secure FTP Daemon) services using SSL/TLS certificates.

Prerequisites:

Before we start, note that all the commands in this tutorial will be run as root, otherwise, use the sudo command to gain root privileges if you are not controlling the server using the root account.

Step 1. Generating SSL/TLS Certificate and Private Key

1. We need to start by creating a subdirectory under: /etc/ssl/ where we will store the SSL/TLS certificate and key files:

# mkdir /etc/ssl/private

2. Then run the command below to create the certificate and key for vsftpd in a single file, here is the explanation of each flag used.

The above command will ask you to answer the questions below, remember to use values that apply to your scenario.

Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Lower Parel
Locality Name (eg, city) [Default City]:Mumbai
Organization Name (eg, company) [Default Company Ltd]:TecMint.com
Organizational Unit Name (eg, section) []:Linux and Open Source
Common Name (eg, your name or your server's hostname) []:tecmint
Email Address []:admin@tecmint.com

Step 2. Configuring VSFTPD To Use SSL/TLS

3. Before we perform any VSFTPD configurations, let’s open the ports 990 and 40000-50000 to allow TLS connections and the port range of passive ports to define in the VSFTPD configuration file respectively:

4. Now, open the VSFTPD config file and specify the SSL details in it:

- Advertisement -

# vi /etc/vsftpd/vsftpd.conf

Look for the option ssl_enable and set its value to YES to activate the use of SSL, in addition, since TSL is more secure than SSL, we will restrict VSFTPD to employ TLS instead, using the ssl_tlsv1_2 option:

ssl_enable=YES
ssl_tlsv1_2=YES
ssl_sslv2=NO
ssl_sslv3=NO

5. Then, add the lines below to define the location of the SSL certificate and key file:

6. Next, we have to prevent anonymous users from using SSL, then force all non-anonymous logins to use a secure SSL connection for data transfer and to send the password during login:

allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

7. In addition, we can add the options below to boost up FTP server security. When option require_ssl_reuse is set to YES, then, all SSL data connections are required to exhibit SSL session reuse; proving that they know the same master secret as the control channel.

Therefore, we have to turn it off.

require_ssl_reuse=NO

Again, we need to select which SSL ciphers VSFTPD will permit for encrypted SSL connections with the ssl_ciphers option. This can greatly limit efforts of attackers who try to force a particular cipher which they probably discovered vulnerabilities in:

ssl_ciphers=HIGH

8. Now, set the port range (min and max port) of passive ports.

pasv_min_port=40000
pasv_max_port=50000

9. Optionally, allow SSL debugging, meaning openSSL connection diagnostics are recorded to the VSFTPD log file with the debug_ssl option:

debug_ssl=YES

Save all the changes and close the file. Then let’s restart VSFTPD service:

# systemctl restart vsftpd

Step 3: Testing FTP server With SSL/TLS Connections

10. After doing all the above configurations, test if VSFTPD is using SSL/TLS connections by attempting to use FTP from the command line as follows:

14. Then click on Connect to enter the password again, and then verify the certificate being used for the SSL/TLS connection and click OK once more to connect to the FTP server:

At this stage, we should have logged successfully into the FTP server over a TLS connection, check the connection status section for more information from the interface below.

15. Last but not least, try transferring files from the local machine to the FTP sever in the files folder, take a look at the lower end of the FileZilla interface to view reports concerning file transfers.

That’s all! Always keep in mind that FTP is not secure by default, unless we configure it to use SSL/TLS connections as we showed you in this tutorial. Do share your thoughts about this tutorial/topic via the feedback form below.

VPS House was founded in 2012, Seattle, Washington, immediately gaining it’s market share as one of the best valued hosting companies. We with over a decade of experience building high-performance infrastructure hosting platforms for businesses globally.